Because my forum is locally focused I use .htaccess to ALLOW only U.S. ip's, to cut down on the spam kings of Russia and China and the like.

However; if I allow Guardian to add ip's banned because of harvesting or whatever, Guardian's altering of the file seems to cause it to fail so that my Russian antagonists and all others can once again access the site. The only real thing I see Guardian do is strip some of the header, but nothing that should effect operation. However it does append its bans after the allow list in a new section.

I thought the issue was the allow/deny order within .htaccess, having "deny from all" in the list. Removing "Deny from all" and getting my order correct fixed the raw list, but any change from Guardian opens the gates across the pond again, and these guys seem to sit at the gate.

I guess if I got into the code I might change where Guardian looks for .htaccess, but not having done that it's located where Guardian defaults to see it: .../cgi-bin/yabb2/

The premise of the .htaccess file is to lock out the world and only Allow the U.S., so all the IP's in the file make it over a meg long, so I won't post the whole file here, but I'll give you the head and foot, as that's where Guardian makes it's changes:

Quote:

Head of file:

<Limit GET HEAD POST>order allow,deny# Country: UNITED STATES# ISO Code: US# Total Networks: 40,389# Total Subnets: 1,531,462,904allow from 3.0.0.0/8allow from 4.0.0.0/8allow from 6.0.0.0/8allow from 7.0.0.0/8allow from 8.0.0.0/8allow from 9.0.0.0/8allow from 11.0.0.0/8blah blah hundreds later...

End of file:

allow from 216.255.160.0/20allow from 216.255.176.0/20allow from 216.255.192.0/19allow from 216.255.240.0/20##deny from allDeny from 129.121.96.85Deny from 91.224.246.87deny from 98.197.94.83deny from 173.236.25.162deny from 207.126.165.187</Limit>

Above is a Guardian untouched file. I've turned off Guardian's ability to alter the file so when I get an offending user I manually add them as you see in the closing deny from's before the file end.

Crap, you know what? I just figured out what it's doing, so I beg forgiveness for not showing the Guardian alteration because you guys will back me up on this without seeing it.

Guardian, when it adds an offending user wants to deny the offenders ip. It strips the header on the file and adds its own and Guardian's ORDER statement turns around the logic so that it states:

order deny,allow;

which turns the logic around backassward and now opens the gates for the world to walk through, as it appends the offensive ip to the list.

If you guys don't agree with me on that epiphany, I'll gladly finish the work and allow Guardian to alter the file, but I think you'll agree it's not necessary.

With that, what I need to do is get into the Guardian template?, is there one?... and alter the line that writes the ORDER statement to the file and that should cure the problem.

Any dissension to the premise?

« Last Edit: Nov 23rd, 2011 at 4:09am by TannerLynd »

IP Logged

TannerLynd

YaBB Newcomer
Offline

Posts: 7

None

Re: .htaccess and GuardianReply #3 - Nov 23rd, 2011 at 4:45am

Silly, cocky me. I thought I'd find a template for Guardian and barring that the line that wrote the ORDER statement in the .pl file would just jump right out at me. If I'm in the right perl file it doesn't jump out at me. I got into GuardianAdmin.pl to look for the .htaccess write lines, which do appear to be there, but I'm not good enough with perl to figure this out it seems.

Given I'm correct on the premise, anyone feel charitable in guiding me to alter the Guardian code so it writes the ORDER statement in .htaccess as:

Thanks for the suggestions Jon. I just happened across another Guardian file, so I'll see if I can figure the code out in there to mod it. It will be a simple fix when I find the line I'm looking for.

I just happened across a saved file after Guardian had altered it, so I will show exactly how Guardian is altering the ORDER line, usurping my inverted method of .htaccess, just so all can understand this thread with all the visuals.

The comment I'd make about my method with .htaccess is that, for me, it has really slammed the door shut on 90% of the world's spammers. What I found was that most of these guys were coming to me out of Russia, China, Latvia, etc. That opened the way for me to slam the border shut to America. Once again, because I am pandering to local traffic only to begin with, I can afford to make US only access the first rule using .htaccess. This method does however necessitate the reversing of the ORDER statement to acheive desired results, and does render Guardian no more than a barking sentry until I get the code fixed. But that still has it's application. It tells me when someone imposes and I can manually take corrective action until I can employ it to do the work once again.

Interestingly, most of these guys don't seem to be employing proxies, or if they do they are choosing offshore sites or something, cause they aren't getting through. I have noticed one or two proxy hits a day now tho, but the ip's in the list still only contain US sites.

Back on track to the benefits of this method with .htaccess: Before I employed this method of shutting the spammers out I had 20 or more hits a day with Pre-registration and Validated registration of these guys. After evoking this strategy, one or two of these a day max. And... I just looked at the registration log and I had a complete lull in undesirables registering from November 29th to today, tho the traffic has picked up to previous levels of one or two beginning again yesterday.

So it's not a cure-all, but it does limit spammers to being inside the country at least anyway, and we don't have near as many active as the rest of the globe it appears.

I do intend to employee one of the other options on top of this as well, to hopefully remove the one or two a day remaining.

IP Logged

TannerLynd

YaBB Newcomer
Offline

Posts: 7

None

Re: .htaccess and GuardianReply #7 - Dec 2nd, 2011 at 7:36pm

So I can't give a dissertation on the order of operation of deny/allow within the ORDER statement of the .htaccess file of Apache, but I can tell you the order of those two within the statement is the difference between ip allowed and ip banned, even tho the individual ip lines start with allow or deny themselves.

Guardian expects the statement to be used one way so it can ban additional ip's using the deny statement. Because I'm closing borders I have to use it inverted. If I allow Guardian to alter the file to add IP's, it rewrites the ORDER statement each time it adds a banned IP to the list, turning the order back around and rendering the borders open again somehow in the process.

You have the header of the .htaccess file that closes the borders and only allow US IP's above, earlier in the thread, below is the Guardian altered header which clearly shows Guardian turning the ORDER statement back around, re-opening the borders. I'll include the Guardian footer as well just so we can see how it adds to such a file to try and ban more IP's.

Quote:

# Last modified by The Guardian: Nov 15<sup>th</sup>, 2011 at 2:25pm #

<Limit GET HEAD POST>order deny,allowallow from 3.0.0.0/8allow from 4.0.0.0/8allow from 6.0.0.0/8allow from 7.0.0.0/8allow from 8.0.0.0/8allow from 9.0.0.0/8allow from 11.0.0.0/8allow from 12.0.0.0/8~~~~~

allow from 216.255.64.0/19allow from 216.255.96.0/19allow from 216.255.128.0/19allow from 216.255.160.0/20allow from 216.255.176.0/20allow from 216.255.192.0/19allow from 216.255.240.0/20deny from all</Limit>